How to check the CVE status in OpenSTLinux

Revision as of 13:36, 11 May 2023 by Registered User (→‎OpenSTLinux)
This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.
Applicable for STM32MP13x lines, STM32MP15x lines




1. Overview[edit source]

This article explains how to configure OpenSTLinux yocto build to check CVE status.

2. Openembedded/Yocto[edit source]

Openembedded/Yocto provide a calss whcih permit to check CVE status.
To Enable a check fo CVE status, add on your configuration (conf/local.conf): 

INHERIT += "cve-check"

For more information about how to configuration, exclusion for CVE check, please see the section Vulnerability check at build time on Yocto manual.

The CVE check generate some CVE status by package on <build directory>/tmp-glibc/deploy/cve/ directory.
Example for tf-a-stm32mp: 

tf-a-stm32mp tf-a-stm32mp_cve.json

The two files contains the same information but first one stored as text content and second one as json.

3. OpenSTLinux[edit source]

When CVE check are enabled, OpenSTLinux provide a html file which is a summary of CVE status for main image, available on deploy image directory: 

<image-name>-<distro>-<machine>-cve_content.html

like 

st-image-weston-openstlinux-weston-stm32mp25-cve_content.html

Common Vulnerabilities and Exposures

Retrieved from "https://wiki.st.com/stm32mpu-ecosystem-v4/index.php?title=How_to_check_the_CVE_status_in_OpenSTLinux&oldid=91757"